1/* 2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include "internal/cryptlib.h" 12#include <openssl/asn1t.h> 13#include <openssl/x509.h> 14#include <openssl/ec.h> 15#include "ec_local.h" 16#include <openssl/evp.h> 17#include "crypto/evp.h" 18 19/* EC pkey context structure */ 20 21typedef struct { 22 /* Key and paramgen group */ 23 EC_GROUP *gen_group; 24 /* message digest */ 25 const EVP_MD *md; 26 /* Duplicate key if custom cofactor needed */ 27 EC_KEY *co_key; 28 /* Cofactor mode */ 29 signed char cofactor_mode; 30 /* KDF (if any) to use for ECDH */ 31 char kdf_type; 32 /* Message digest to use for key derivation */ 33 const EVP_MD *kdf_md; 34 /* User key material */ 35 unsigned char *kdf_ukm; 36 size_t kdf_ukmlen; 37 /* KDF output length */ 38 size_t kdf_outlen; 39} EC_PKEY_CTX; 40 41static int pkey_ec_init(EVP_PKEY_CTX *ctx) 42{ 43 EC_PKEY_CTX *dctx; 44 45 if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) { 46 ECerr(EC_F_PKEY_EC_INIT, ERR_R_MALLOC_FAILURE); 47 return 0; 48 } 49 50 dctx->cofactor_mode = -1; 51 dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE; 52 ctx->data = dctx; 53 return 1; 54} 55 56static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) 57{ 58 EC_PKEY_CTX *dctx, *sctx; 59 if (!pkey_ec_init(dst)) 60 return 0; 61 sctx = src->data; 62 dctx = dst->data; 63 if (sctx->gen_group) { 64 dctx->gen_group = EC_GROUP_dup(sctx->gen_group); 65 if (!dctx->gen_group) 66 return 0; 67 } 68 dctx->md = sctx->md; 69 70 if (sctx->co_key) { 71 dctx->co_key = EC_KEY_dup(sctx->co_key); 72 if (!dctx->co_key) 73 return 0; 74 } 75 dctx->kdf_type = sctx->kdf_type; 76 dctx->kdf_md = sctx->kdf_md; 77 dctx->kdf_outlen = sctx->kdf_outlen; 78 if (sctx->kdf_ukm) { 79 dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen); 80 if (!dctx->kdf_ukm) 81 return 0; 82 } else 83 dctx->kdf_ukm = NULL; 84 dctx->kdf_ukmlen = sctx->kdf_ukmlen; 85 return 1; 86} 87 88static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) 89{ 90 EC_PKEY_CTX *dctx = ctx->data; 91 if (dctx != NULL) { 92 EC_GROUP_free(dctx->gen_group); 93 EC_KEY_free(dctx->co_key); 94 OPENSSL_free(dctx->kdf_ukm); 95 OPENSSL_free(dctx); 96 ctx->data = NULL; 97 } 98} 99 100static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, 101 const unsigned char *tbs, size_t tbslen) 102{ 103 int ret, type; 104 unsigned int sltmp; 105 EC_PKEY_CTX *dctx = ctx->data; 106 EC_KEY *ec = ctx->pkey->pkey.ec; 107 const int sig_sz = ECDSA_size(ec); 108 109 /* ensure cast to size_t is safe */ 110 if (!ossl_assert(sig_sz > 0)) 111 return 0; 112 113 if (sig == NULL) { 114 *siglen = (size_t)sig_sz; 115 return 1; 116 } 117 118 if (*siglen < (size_t)sig_sz) { 119 ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL); 120 return 0; 121 } 122 123 type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1; 124 125 ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); 126 127 if (ret <= 0) 128 return ret; 129 *siglen = (size_t)sltmp; 130 return 1; 131} 132 133static int pkey_ec_verify(EVP_PKEY_CTX *ctx, 134 const unsigned char *sig, size_t siglen, 135 const unsigned char *tbs, size_t tbslen) 136{ 137 int ret, type; 138 EC_PKEY_CTX *dctx = ctx->data; 139 EC_KEY *ec = ctx->pkey->pkey.ec; 140 141 if (dctx->md) 142 type = EVP_MD_type(dctx->md); 143 else 144 type = NID_sha1; 145 146 ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); 147 148 return ret; 149} 150 151#ifndef OPENSSL_NO_EC 152static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) 153{ 154 int ret; 155 size_t outlen; 156 const EC_POINT *pubkey = NULL; 157 EC_KEY *eckey; 158 EC_PKEY_CTX *dctx = ctx->data; 159 if (!ctx->pkey || !ctx->peerkey) { 160 ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET); 161 return 0; 162 } 163 164 eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec; 165 166 if (!key) { 167 const EC_GROUP *group; 168 group = EC_KEY_get0_group(eckey); 169 *keylen = (EC_GROUP_get_degree(group) + 7) / 8; 170 return 1; 171 } 172 pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); 173 174 /* 175 * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not 176 * an error, the result is truncated. 177 */ 178 179 outlen = *keylen; 180 181 ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0); 182 if (ret <= 0) 183 return 0; 184 *keylen = ret; 185 return 1; 186} 187 188static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, 189 unsigned char *key, size_t *keylen) 190{ 191 EC_PKEY_CTX *dctx = ctx->data; 192 unsigned char *ktmp = NULL; 193 size_t ktmplen; 194 int rv = 0; 195 if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE) 196 return pkey_ec_derive(ctx, key, keylen); 197 if (!key) { 198 *keylen = dctx->kdf_outlen; 199 return 1; 200 } 201 if (*keylen != dctx->kdf_outlen) 202 return 0; 203 if (!pkey_ec_derive(ctx, NULL, &ktmplen)) 204 return 0; 205 if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL) { 206 ECerr(EC_F_PKEY_EC_KDF_DERIVE, ERR_R_MALLOC_FAILURE); 207 return 0; 208 } 209 if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) 210 goto err; 211 /* Do KDF stuff */ 212 if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, 213 dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) 214 goto err; 215 rv = 1; 216 217 err: 218 OPENSSL_clear_free(ktmp, ktmplen); 219 return rv; 220} 221#endif 222 223static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) 224{ 225 EC_PKEY_CTX *dctx = ctx->data; 226 EC_GROUP *group; 227 switch (type) { 228 case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: 229 group = EC_GROUP_new_by_curve_name(p1); 230 if (group == NULL) { 231 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE); 232 return 0; 233 } 234 EC_GROUP_free(dctx->gen_group); 235 dctx->gen_group = group; 236 return 1; 237 238 case EVP_PKEY_CTRL_EC_PARAM_ENC: 239 if (!dctx->gen_group) { 240 ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET); 241 return 0; 242 } 243 EC_GROUP_set_asn1_flag(dctx->gen_group, p1); 244 return 1; 245 246#ifndef OPENSSL_NO_EC 247 case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: 248 if (p1 == -2) { 249 if (dctx->cofactor_mode != -1) 250 return dctx->cofactor_mode; 251 else { 252 EC_KEY *ec_key = ctx->pkey->pkey.ec; 253 return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; 254 } 255 } else if (p1 < -1 || p1 > 1) 256 return -2; 257 dctx->cofactor_mode = p1; 258 if (p1 != -1) { 259 EC_KEY *ec_key = ctx->pkey->pkey.ec; 260 if (!ec_key->group) 261 return -2; 262 /* If cofactor is 1 cofactor mode does nothing */ 263 if (BN_is_one(ec_key->group->cofactor)) 264 return 1; 265 if (!dctx->co_key) { 266 dctx->co_key = EC_KEY_dup(ec_key); 267 if (!dctx->co_key) 268 return 0; 269 } 270 if (p1) 271 EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); 272 else 273 EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); 274 } else { 275 EC_KEY_free(dctx->co_key); 276 dctx->co_key = NULL; 277 } 278 return 1; 279#endif 280 281 case EVP_PKEY_CTRL_EC_KDF_TYPE: 282 if (p1 == -2) 283 return dctx->kdf_type; 284 if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63) 285 return -2; 286 dctx->kdf_type = p1; 287 return 1; 288 289 case EVP_PKEY_CTRL_EC_KDF_MD: 290 dctx->kdf_md = p2; 291 return 1; 292 293 case EVP_PKEY_CTRL_GET_EC_KDF_MD: 294 *(const EVP_MD **)p2 = dctx->kdf_md; 295 return 1; 296 297 case EVP_PKEY_CTRL_EC_KDF_OUTLEN: 298 if (p1 <= 0) 299 return -2; 300 dctx->kdf_outlen = (size_t)p1; 301 return 1; 302 303 case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: 304 *(int *)p2 = dctx->kdf_outlen; 305 return 1; 306 307 case EVP_PKEY_CTRL_EC_KDF_UKM: 308 OPENSSL_free(dctx->kdf_ukm); 309 dctx->kdf_ukm = p2; 310 if (p2) 311 dctx->kdf_ukmlen = p1; 312 else 313 dctx->kdf_ukmlen = 0; 314 return 1; 315 316 case EVP_PKEY_CTRL_GET_EC_KDF_UKM: 317 *(unsigned char **)p2 = dctx->kdf_ukm; 318 return dctx->kdf_ukmlen; 319 320 case EVP_PKEY_CTRL_MD: 321 if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 && 322 EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 && 323 EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && 324 EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && 325 EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && 326 EVP_MD_type((const EVP_MD *)p2) != NID_sha512 && 327 EVP_MD_type((const EVP_MD *)p2) != NID_sha3_224 && 328 EVP_MD_type((const EVP_MD *)p2) != NID_sha3_256 && 329 EVP_MD_type((const EVP_MD *)p2) != NID_sha3_384 && 330 EVP_MD_type((const EVP_MD *)p2) != NID_sha3_512) { 331 ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); 332 return 0; 333 } 334 dctx->md = p2; 335 return 1; 336 337 case EVP_PKEY_CTRL_GET_MD: 338 *(const EVP_MD **)p2 = dctx->md; 339 return 1; 340 341 case EVP_PKEY_CTRL_PEER_KEY: 342 /* Default behaviour is OK */ 343 case EVP_PKEY_CTRL_DIGESTINIT: 344 case EVP_PKEY_CTRL_PKCS7_SIGN: 345 case EVP_PKEY_CTRL_CMS_SIGN: 346 return 1; 347 348 default: 349 return -2; 350 351 } 352} 353 354static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx, 355 const char *type, const char *value) 356{ 357 if (strcmp(type, "ec_paramgen_curve") == 0) { 358 int nid; 359 nid = EC_curve_nist2nid(value); 360 if (nid == NID_undef) 361 nid = OBJ_sn2nid(value); 362 if (nid == NID_undef) 363 nid = OBJ_ln2nid(value); 364 if (nid == NID_undef) { 365 ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE); 366 return 0; 367 } 368 return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid); 369 } else if (strcmp(type, "ec_param_enc") == 0) { 370 int param_enc; 371 if (strcmp(value, "explicit") == 0) 372 param_enc = 0; 373 else if (strcmp(value, "named_curve") == 0) 374 param_enc = OPENSSL_EC_NAMED_CURVE; 375 else 376 return -2; 377 return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc); 378 } else if (strcmp(type, "ecdh_kdf_md") == 0) { 379 const EVP_MD *md; 380 if ((md = EVP_get_digestbyname(value)) == NULL) { 381 ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST); 382 return 0; 383 } 384 return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md); 385 } else if (strcmp(type, "ecdh_cofactor_mode") == 0) { 386 int co_mode; 387 co_mode = atoi(value); 388 return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode); 389 } 390 391 return -2; 392} 393 394static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 395{ 396 EC_KEY *ec = NULL; 397 EC_PKEY_CTX *dctx = ctx->data; 398 int ret; 399 400 if (dctx->gen_group == NULL) { 401 ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET); 402 return 0; 403 } 404 ec = EC_KEY_new(); 405 if (ec == NULL) 406 return 0; 407 if (!(ret = EC_KEY_set_group(ec, dctx->gen_group)) 408 || !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec))) 409 EC_KEY_free(ec); 410 return ret; 411} 412 413static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) 414{ 415 EC_KEY *ec = NULL; 416 EC_PKEY_CTX *dctx = ctx->data; 417 int ret; 418 419 if (ctx->pkey == NULL && dctx->gen_group == NULL) { 420 ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET); 421 return 0; 422 } 423 ec = EC_KEY_new(); 424 if (ec == NULL) 425 return 0; 426 if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) { 427 EC_KEY_free(ec); 428 return 0; 429 } 430 /* Note: if error is returned, we count on caller to free pkey->pkey.ec */ 431 if (ctx->pkey != NULL) 432 ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey); 433 else 434 ret = EC_KEY_set_group(ec, dctx->gen_group); 435 436 return ret ? EC_KEY_generate_key(ec) : 0; 437} 438 439const EVP_PKEY_METHOD ec_pkey_meth = { 440 EVP_PKEY_EC, 441 0, 442 pkey_ec_init, 443 pkey_ec_copy, 444 pkey_ec_cleanup, 445 446 0, 447 pkey_ec_paramgen, 448 449 0, 450 pkey_ec_keygen, 451 452 0, 453 pkey_ec_sign, 454 455 0, 456 pkey_ec_verify, 457 458 0, 0, 459 460 0, 0, 0, 0, 461 462 0, 463 0, 464 465 0, 466 0, 467 468 0, 469#ifndef OPENSSL_NO_EC 470 pkey_ec_kdf_derive, 471#else 472 0, 473#endif 474 pkey_ec_ctrl, 475 pkey_ec_ctrl_str 476}; 477